I hear it all the time.
“My management just doesn’t ‘get’ security.”
Or, “We tried those cyber actions a few years back, but now our execs are on to something else.”
And all over the world, people say: “My management thinks that we’ve had no major data breaches, so we must be doing something right.”
Or, “Our tech leaders are obsessed with (fill-in-the blank) security solution, but they don’t seem to care about anything else. While that product is great, we have so many other holes that are not being addressed.”
Or, “We’ve had so many vacancies for so long, that this has become the new normal. Every time we get a few people in, we tend to lose others just as fast. There is just nothing that seems to work consistently.”
Or, “I’m ready to give up and move-on. I’m so frustrated. Our leaders jump from one shiny-black box to another almost like the latest diet fad. But we never implement things properly.”
Finally, how about, “Sadly, our leaders say we’ve been there, done that, and got the cyber T-shirt. After we checked that major compliance box, there’s no more budget to maintain the solution or keep staff.”
I could go on and on, but the sentiment from a surprisingly large and diverse set of public and private sector technology and security pros is that (for any number of reasons) their organizational culture and executive leadership does not understand, or maintain, or listen to, or follow-through-on needed cybersecurity actions to protect the enterprise effectively.
I typically hear these types of comments after I give a presentation at a security or technology event, and the sentiment usually comes from frustrated IT or security staff. Occasionally, I hear similar lines from executive leaders (Read more...)
*** This is a Security Bloggers Network syndicated blog from Lohrmann on Cybersecurity authored by Lohrmann on Cybersecurity. Read the original post at: http://www.govtech.com/blogs/lohrmann-on-cybersecurity/why-many-organizations-still-dont-get-security.html